mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-11-23 07:43:29 +01:00
parent
4af78f0286
commit
570bc4abde
4
Other.md
4
Other.md
@ -44,7 +44,7 @@ A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet
|
||||
|
||||
> This information is a caryover from the original dn42 wiki. most is unsubstantiated and probably invalid now. Included here for historical reasons. Keys and other parameters can be found in the registry under `tinc-key` and `tinc-keyset`
|
||||
|
||||
````
|
||||
```
|
||||
first tinc cloud
|
||||
================
|
||||
|
||||
@ -88,6 +88,6 @@ IP IPv6 User Host ASN
|
||||
172.22.255.161 fd04:de02:7af9::161 uves spline 64733
|
||||
172.22.255.162 fd04:de02:7af9::162 petrus beta 64751
|
||||
-------------- ------------------- --------- ----------- -----
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
|
@ -9,9 +9,9 @@ The [DN42 registry](https://git.dn42.dev/dn42/registry) is the authoritative sou
|
||||
|
||||
A simple way to see all the active policies in the registry is to search the registry content for policy attributes:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
grep -r ^policy data/inet{,6}num/
|
||||
````
|
||||
```
|
||||
|
||||
The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced.
|
||||
|
||||
|
@ -11,7 +11,7 @@ Below, you will see an example config for peers4 based on the original filter im
|
||||
To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network.
|
||||
|
||||
## BGP community criteria
|
||||
````
|
||||
```
|
||||
(64511, 1) :: latency \in (0, 2.7ms]
|
||||
(64511, 2) :: latency \in (2.7ms, 7.3ms]
|
||||
(64511, 3) :: latency \in (7.3ms, 20ms]
|
||||
@ -39,12 +39,12 @@ bw = min(up,down) for asymmetric connections
|
||||
Propagation:
|
||||
- - for latency pick max(received_route.latency, link_latency)
|
||||
- - for encryption and bandwidth pick min between received BGP community and peer link
|
||||
````
|
||||
```
|
||||
For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33).
|
||||
|
||||
Two utilites which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c).
|
||||
|
||||
````
|
||||
```
|
||||
$ ruby bgp-community.rb --help
|
||||
USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs
|
||||
-6, --ipv6 Assume ipv6 for ping
|
||||
@ -56,11 +56,11 @@ $ ruby bgp-community.rb -6 dn42-2.higgsboson.tk 1000 pfs
|
||||
# 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11)
|
||||
import where dn42_import_filter(3,25,34);
|
||||
export where dn42_export_filter(3,25,34);
|
||||
````
|
||||
```
|
||||
|
||||
### Route Origin
|
||||
According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) these are the communities for route origin:
|
||||
````
|
||||
```
|
||||
(64511, 41) :: Europe
|
||||
(64511, 42) :: North America-E
|
||||
(64511, 43) :: North America-C
|
||||
@ -74,7 +74,7 @@ According to [this mail](https://lists.nox.tf/pipermail/dn42/2015-December/00125
|
||||
(64511, 51) :: Asia-SE (TH,SG,PH,ID,MY)
|
||||
(64511, 52) :: Asia-E (JP,CN,KR)
|
||||
(64511, 53) :: Pacific
|
||||
````
|
||||
```
|
||||
|
||||
You need to add following lines to your config(s):
|
||||
- `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set)
|
||||
@ -83,15 +83,15 @@ just above `update_flags` in `dn42_export_filter` function
|
||||
|
||||
|
||||
## Example configurations
|
||||
````
|
||||
```
|
||||
# /etc/bird/peers4/tombii.conf
|
||||
protocol bgp tombii from dnpeers {
|
||||
neighbor 172.23.102.x as 4242420321;
|
||||
import where dn42_import_filter(3,24,33);
|
||||
export where dn42_export_filter(3,24,33);
|
||||
};
|
||||
````
|
||||
````
|
||||
```
|
||||
```
|
||||
#/etc/bird/community_filters.conf
|
||||
function update_latency(int link_latency) {
|
||||
bgp_community.add((64511, link_latency));
|
||||
@ -159,9 +159,9 @@ function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypt
|
||||
reject;
|
||||
}
|
||||
|
||||
````
|
||||
```
|
||||
Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf
|
||||
````
|
||||
```
|
||||
|
||||
# local configuration
|
||||
######################
|
||||
@ -172,7 +172,7 @@ include "bird/local4.conf";
|
||||
|
||||
include "/etc/bird/filter4.conf";
|
||||
include "/etc/bird/community_filters.conf";
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
***
|
||||
|
@ -7,13 +7,13 @@ In the Debian release cycle the bird packages may become outdated at times, if t
|
||||
|
||||
This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories.
|
||||
|
||||
````sh
|
||||
```sh
|
||||
wget -O - http://bird.network.cz/debian/apt.key | apt-key add -
|
||||
apt-get install lsb-release
|
||||
echo "deb http://bird.network.cz/debian/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bird.list
|
||||
apt-get update
|
||||
apt-get install bird
|
||||
````
|
||||
```
|
||||
|
||||
# Example configuration
|
||||
|
||||
@ -28,7 +28,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
|
||||
|
||||
### IPv6
|
||||
|
||||
````
|
||||
```
|
||||
#/etc/bird/bird6.conf
|
||||
protocol device {
|
||||
scan time 10;
|
||||
@ -96,9 +96,9 @@ template bgp dnpeers {
|
||||
}
|
||||
|
||||
include "/etc/bird/peers6/*";
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/bird/local6.conf
|
||||
# should be a unique identifier, use same id as for ipv4
|
||||
router id <GATEWAY_IP>;
|
||||
@ -115,20 +115,20 @@ function is_valid_network() {
|
||||
fd00::/8{44,64} # ULA address space as per RFC 4193
|
||||
];
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/bird/peers6/<PEER_NAME>
|
||||
protocol bgp <PEER_NAME> from dnpeers {
|
||||
neighbor <PEERING_IP> as <PEER_AS>;
|
||||
# if you use link-local ipv6 addresses for peering using the following
|
||||
# neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>;
|
||||
};
|
||||
````
|
||||
```
|
||||
|
||||
### IPv4
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/bird/bird.conf
|
||||
# Device status
|
||||
protocol device {
|
||||
@ -205,9 +205,9 @@ template bgp dnpeers {
|
||||
};
|
||||
|
||||
include "/etc/bird/peers4/*";
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
#/etc/bird/local4.conf
|
||||
# should be a unique identifier, <GATEWAY_IP> is what most people use.
|
||||
router id <GATEWAY_IP>;
|
||||
@ -232,14 +232,14 @@ function is_valid_network() {
|
||||
10.0.0.0/8{15,24} # Freifunk.net
|
||||
];
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/bird/peers4/<PEER_NAME>
|
||||
protocol bgp <PEER_NAME> from dnpeers {
|
||||
neighbor <PEERING_IP> as <PEER_AS>;
|
||||
};
|
||||
````
|
||||
```
|
||||
|
||||
# Bird communities
|
||||
|
||||
@ -270,23 +270,23 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
|
||||
|
||||
You can add cron entries to periodically update the tables:
|
||||
|
||||
````
|
||||
```
|
||||
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
|
||||
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
|
||||
````
|
||||
```
|
||||
|
||||
Debian version:
|
||||
|
||||
````
|
||||
```
|
||||
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
|
||||
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
|
||||
````
|
||||
```
|
||||
|
||||
then create the directory to make sure curls can save the files:
|
||||
|
||||
````
|
||||
```
|
||||
mkdir -p /var/lib/bird/
|
||||
````
|
||||
```
|
||||
|
||||
### Use RPKI ROA for bird2
|
||||
* Download gortr
|
||||
@ -295,22 +295,22 @@ mkdir -p /var/lib/bird/
|
||||
|
||||
* Running gortr,need golang environment.
|
||||
|
||||
````
|
||||
```
|
||||
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
* run with docker
|
||||
|
||||
`docker pull cloudflare/gortr`
|
||||
|
||||
````
|
||||
```
|
||||
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
|
||||
````
|
||||
```
|
||||
|
||||
* Add this to your bird configure file,other ROA protocol must removed.
|
||||
|
||||
````
|
||||
```
|
||||
protocol rpki rpki_dn42{
|
||||
roa4 { table dn42_roa; };
|
||||
roa6 { table dn42_roa_v6; };
|
||||
@ -321,26 +321,26 @@ protocol rpki rpki_dn42{
|
||||
refresh keep 900;
|
||||
expire keep 172800;
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## Filter configuration
|
||||
|
||||
In your import filter add the following to reject invalid routes:
|
||||
|
||||
````
|
||||
```
|
||||
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
|
||||
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
|
||||
reject;
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
Also, define your ROA table with:
|
||||
|
||||
````
|
||||
```
|
||||
roa table dn42_roa {
|
||||
include "/var/lib/bird/bird_roa_dn42.conf";
|
||||
};
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6).
|
||||
@ -349,7 +349,7 @@ roa table dn42_roa {
|
||||
|
||||
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
|
||||
|
||||
````
|
||||
```
|
||||
$ birdc
|
||||
BIRD 1.4.5 ready.
|
||||
bird> configure # reload configuration
|
||||
@ -389,7 +389,7 @@ bird> show route filtered # shows routed filtered out by rules
|
||||
bird> show route protocol <somepeer> # shows the route they export to you
|
||||
bird> show route export <somepeer> # shows the route you export to someone
|
||||
...
|
||||
````
|
||||
```
|
||||
|
||||
# External Links
|
||||
* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42
|
||||
|
@ -19,7 +19,7 @@ When copying the configuration below onto your system, you will have to enter th
|
||||
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
|
||||
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
|
||||
|
||||
````
|
||||
```
|
||||
################################################
|
||||
# Variable header #
|
||||
################################################
|
||||
@ -165,7 +165,7 @@ template bgp dnpeers {
|
||||
|
||||
|
||||
include "/etc/bird/peers/*";
|
||||
````
|
||||
```
|
||||
|
||||
# Route Origin Authorization
|
||||
|
||||
@ -177,15 +177,15 @@ Please note: This section assumes that you've already got a tunnel to your peeri
|
||||
|
||||
First, make sure the /etc/bird/peers directory exists:
|
||||
|
||||
````
|
||||
```
|
||||
# mkdir -p /etc/bird/peers
|
||||
````
|
||||
```
|
||||
|
||||
Then for each peer, create a configuration file similar to this one:
|
||||
|
||||
`/etc/bird/peers/<NEIGHBOR_NAME>.conf`:
|
||||
|
||||
````
|
||||
```
|
||||
protocol bgp <NEIGHBOR_NAME> from dnpeers {
|
||||
neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
|
||||
}
|
||||
@ -193,6 +193,6 @@ protocol bgp <NEIGHBOR_NAME> from dnpeers {
|
||||
protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
|
||||
neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
|
@ -18,7 +18,7 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
|
||||
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
|
||||
sieve filter:
|
||||
|
||||
````
|
||||
```
|
||||
require ["regex", "variables", "vacation-seconds"];
|
||||
if header :contains "To" ["test@evenet.dn42"] {
|
||||
if header :matches "Subject" "*" {
|
||||
@ -26,7 +26,7 @@ if header :contains "To" ["test@evenet.dn42"] {
|
||||
}
|
||||
vacation :addresses ["test@evenet.dn42"] :seconds 60 :subject "Re: ${subject_was}" "Your dn42 email setup works!";
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## Exim tips
|
||||
|
||||
@ -65,25 +65,25 @@ This should to the trick for sending mails via your DN42-IP
|
||||
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
|
||||
This can circumvent certain rdns configuration failure or in case you use rbl lists:
|
||||
|
||||
````
|
||||
```
|
||||
smtpd_recipient_restrictions = permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
check_client_access cidr:/etc/postfix/dn42.cidr,
|
||||
reject_non_fqdn_sender,
|
||||
# ...
|
||||
permit
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
#/etc/postfix/dn42.cidr
|
||||
172.16.0.0/12 OK
|
||||
10.0.0.0/8 OK
|
||||
fc00::/7 OK
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
$ postmap /etc/postfix/dn42.cidr
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
### Receiving emails
|
||||
|
@ -12,7 +12,7 @@ This is the config I (Felicitus) am running on an Ubiquiti EdgeRouter Lite (AS76
|
||||
|
||||
## Upcoming
|
||||
|
||||
* AICCU integration (SIXXS), probably not possible with the config, so ````apt-get install aiccu```` should do the trick
|
||||
* AICCU integration (SIXXS), probably not possible with the config, so ```apt-get install aiccu``` should do the trick
|
||||
* dn42 IPv6 routing (probably)
|
||||
|
||||
Ask me if you want to know if I have implemented those items already.
|
||||
@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
|
||||
|
||||
# Configuration
|
||||
|
||||
````
|
||||
```
|
||||
firewall {
|
||||
all-ping enable
|
||||
broadcast-ping disable
|
||||
@ -376,4 +376,4 @@ traffic-policy {
|
||||
/* Warning: Do not remove the following line. */
|
||||
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
|
||||
/* Release version: v1.3.0.4605130.131011.1754 */
|
||||
````
|
||||
```
|
@ -10,18 +10,18 @@ This page describes how to configure GRE tunnels on FreeBSD.
|
||||
|
||||
## Create a temporary gre tunnel
|
||||
|
||||
````bash
|
||||
```bash
|
||||
ifconfig gre$INDEX create
|
||||
ifconfig gre$INDEX tunnel $TUNNEL_SRC $TUNNEL_DST
|
||||
ifconfig gre$INDEX inet $LOCAL $REMOTE netmask 0xffffffff
|
||||
ifconfig gre$INDEX descr $DESCR
|
||||
````
|
||||
```
|
||||
|
||||
## Create a persistent gre tunnel
|
||||
|
||||
Add this to your `rc.conf`.
|
||||
|
||||
````
|
||||
```
|
||||
cloned_interfaces="$cloned_interfaces gre0"
|
||||
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
|
||||
````
|
||||
```
|
||||
|
@ -9,10 +9,10 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
|
||||
|
||||
## pseudo interface
|
||||
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
|
||||
````
|
||||
```
|
||||
tunnel A.example.com D.example.net
|
||||
inet6 fd42::/127
|
||||
````
|
||||
```
|
||||
This will resolve FQDNs at parse time, set *A*'s and *D*'s IPs as source and destination tunnel address and set *A*'s assigned IP as point-to-point address on the interface.
|
||||
|
||||
Replace hostnames in the `tunnel` line with literal IPs if DNS is not available (at system boot).
|
||||
@ -21,14 +21,14 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
|
||||
|
||||
## miscellaneous
|
||||
Populate `/etc/sysctl.conf` with:
|
||||
````
|
||||
```
|
||||
net.inet.gre.allow=1
|
||||
````
|
||||
```
|
||||
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
|
||||
|
||||
-
|
||||
At this point, `gre0` will be administratively *UP*:
|
||||
````
|
||||
```
|
||||
$ ifconfig gre0
|
||||
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
|
||||
index 22 priority 0 llprio 6
|
||||
@ -37,10 +37,10 @@ gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
|
||||
tunnel: inet6 2001:db8::a --> 2001:db9::d ttl 64 nodf ecn
|
||||
inet6 fe80::221:28ff:fef9:c1d8%gre0 --> prefixlen 64 scopeid 0x16
|
||||
inet6 fd42:: --> prefixlen 127
|
||||
````
|
||||
```
|
||||
|
||||
All traffic destined to `fd42::1/127` will be encapsulated and routed to *D*:
|
||||
````
|
||||
```
|
||||
$ route show
|
||||
[...]
|
||||
Internet6:
|
||||
@ -53,8 +53,8 @@ fe80::221:28ff:fef9:c1d8%gre0 fe80::221:28ff:fef9:c1d8%gre0 UHl 0
|
||||
ff01::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
|
||||
ff02::%gre0/32 fe80::221:28ff:fef9:c1d8%gre0 Um 0 1 - 4 gre0
|
||||
[...]
|
||||
````
|
||||
````
|
||||
```
|
||||
```
|
||||
$ route -n get fd42::1
|
||||
route to: fd42::1
|
||||
destination: fd42::1
|
||||
@ -65,7 +65,7 @@ destination: fd42::1
|
||||
flags: <UP,HOST,DONE,CLONED>
|
||||
use mtu expire
|
||||
3181 0 0
|
||||
````
|
||||
```
|
||||
|
||||
# Security
|
||||
GRE may be protected with IPsec to encrypt and authenticate traffic, [OpenIKED](http://www.openiked.org/) can be used to establish an IKEv2 session between *A* and *D*.
|
@ -65,14 +65,14 @@ Common authentication methods are:
|
||||
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
|
||||
|
||||
Example: data/mntner/FOO-MNT
|
||||
````
|
||||
```
|
||||
mntner: FOO-MNT
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
auth: pgp-fingerprint 0123456789ABCDEF0123456789ABCDEF01234567
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
### Create person objects
|
||||
|
||||
@ -91,13 +91,13 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
|
||||
|
||||
|
||||
Example: data/person/FOO-DN42
|
||||
````
|
||||
```
|
||||
person: John Doe
|
||||
e-mail: john.doe@example.com
|
||||
nic-hdl: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
@ -114,14 +114,14 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
|
||||
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
|
||||
|
||||
Example: data/organisation/ORG-EXAMPLE
|
||||
````
|
||||
```
|
||||
organisation: ORG-FOO
|
||||
org-name: Foo Organisation
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
### Guidelines for resource objects
|
||||
|
||||
@ -151,14 +151,14 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
|
||||
If unsure, ask on the mailing list or IRC.
|
||||
|
||||
Example: data/aut-num/AS4242423999
|
||||
````
|
||||
```
|
||||
aut-num: AS4242423999
|
||||
as-name: AS-FOO-DN42
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
### Register a network prefix
|
||||
|
||||
@ -177,7 +177,7 @@ A few websites can generate random ULA prefixes for you:
|
||||
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
|
||||
|
||||
example: data/inet6num/fd35:4992:6a6d::_48
|
||||
````
|
||||
```
|
||||
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
|
||||
cidr: fd35:4992:6a6d::/48
|
||||
netname: FOO-NETWORK
|
||||
@ -188,7 +188,7 @@ tech-c: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
status: ASSIGNED
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
#### IPv4 (Legacy)
|
||||
|
||||
@ -219,7 +219,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
|
||||
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
|
||||
|
||||
example: data/inetnum/172.20.150.0_27
|
||||
````
|
||||
```
|
||||
inetnum: 172.20.150.0 - 172.20.150.31
|
||||
cidr: 172.20.150.0/27
|
||||
netname: FOO-NETWORK
|
||||
@ -228,28 +228,28 @@ tech-c: FOO-DN42
|
||||
mnt-by: FOO-MNT
|
||||
status: ASSIGNED
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
#### Create route objects
|
||||
|
||||
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
|
||||
|
||||
example: data/route6/fd35:4992:6a6d::_48
|
||||
````
|
||||
```
|
||||
route6: fd35:4992:6a6d::/48
|
||||
origin: AS4242423999
|
||||
max-length: 48
|
||||
mnt-by: FOO-MNT
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
example data/route/172.20.150.0_27:
|
||||
````
|
||||
```
|
||||
route: 172.20.150.0/27
|
||||
origin: AS4242423999
|
||||
mnt-by: FOO-MNT
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
#### DNS and Domain Registration
|
||||
|
||||
@ -258,7 +258,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
|
||||
Domain names and nserver attributes must be lowercase.
|
||||
|
||||
example: data/dns/foo.dn42
|
||||
````
|
||||
```
|
||||
domain: foo.dn42
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
@ -268,17 +268,17 @@ nserver: ns1.foo.dn42 fd35:4992:6a6d:53::1
|
||||
nserver: ns2.foo.dn42 172.20.150.2
|
||||
nserver: ns2.foo.dn42 fd35:4992:6a6d:53::2
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
|
||||
|
||||
````
|
||||
```
|
||||
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
|
||||
````
|
||||
```
|
||||
|
||||
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
|
||||
|
||||
````
|
||||
```
|
||||
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
|
||||
cidr: fd35:4992:6a6d::/48
|
||||
netname: FOO-NETWORK
|
||||
@ -291,7 +291,7 @@ status: ASSIGNED
|
||||
nserver: ns1.foo.dn42
|
||||
nserver: ns2.foo.dn42
|
||||
source: DN42
|
||||
````
|
||||
```
|
||||
|
||||
# Get some peers
|
||||
|
||||
|
@ -10,17 +10,17 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
|
||||
## Kernel configuration
|
||||
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
|
||||
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
|
||||
````
|
||||
```
|
||||
options IPSEC #IP security
|
||||
device crypto
|
||||
````
|
||||
```
|
||||
Reboot into your new kernel.
|
||||
|
||||
## Userland configuration
|
||||
|
||||
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
|
||||
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
|
||||
````
|
||||
```
|
||||
path pre_shared_key "/usr/local/etc/racoon/psk";
|
||||
path certificate "/usr/local/etc/racoon/certs";
|
||||
log info;
|
||||
@ -69,4 +69,4 @@ sainfo (address a.b.c.d gre address b.c.d.e gre) {
|
||||
authentication_algorithm hmac_sha1;
|
||||
}
|
||||
|
||||
````
|
||||
```
|
@ -12,26 +12,26 @@
|
||||
|
||||
## Define an IPsec security policy
|
||||
Example policy on 1.2.3.4:
|
||||
````bash
|
||||
```bash
|
||||
#!/usr/sbin/setkey -f
|
||||
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
|
||||
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
|
||||
````
|
||||
```
|
||||
Change the direction on 5.6.7.8.
|
||||
|
||||
## Load the IPsec security policy into the IPsec security policy database
|
||||
Load the policy with the setkey command.
|
||||
````
|
||||
```
|
||||
setkey -f /etc/ipsec-tools.conf
|
||||
````
|
||||
```
|
||||
Afterward check the policy database with:
|
||||
````
|
||||
```
|
||||
setkey -DP
|
||||
````
|
||||
```
|
||||
|
||||
## Configure the racoon daemon
|
||||
An example /etc/racoon/racoon.conf.
|
||||
````
|
||||
```
|
||||
path pre_shared_key "/etc/racoon/psk.txt";
|
||||
path certificate "/etc/racoon/certs";
|
||||
log info;
|
||||
@ -72,11 +72,11 @@ sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
|
||||
authentication_algorithm hmac_sha1;
|
||||
compression_algorithm deflate;
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## Configure a GRE tunnel
|
||||
Add this to /etc/network/interfaces:
|
||||
````
|
||||
```
|
||||
auto gre1
|
||||
iface gre1 inet tunnel
|
||||
mode gre
|
||||
@ -86,4 +86,4 @@ iface gre1 inet tunnel
|
||||
endpoint 5.6.7.8
|
||||
local 1.2.3.4
|
||||
ttl 255
|
||||
````
|
||||
```
|
||||
|
@ -4,7 +4,7 @@ See also [strongswan](howto/IPsecWithPublicKeys/strongSwan5Example)
|
||||
|
||||
The keys are generated with plainrsa-gen.
|
||||
|
||||
````
|
||||
```
|
||||
Usage: plainrsa-gen [options]
|
||||
|
||||
-b bits Generate <bits> long RSA key (default=1024)
|
||||
@ -12,12 +12,12 @@ Usage: plainrsa-gen [options]
|
||||
-f filename Filename to store the key to (default=stdout)
|
||||
-i filename Input source for format conversion
|
||||
-h Help
|
||||
````
|
||||
```
|
||||
I'd probably go with 4096 bits.
|
||||
|
||||
|
||||
in your racoon.conf:
|
||||
````
|
||||
```
|
||||
path certificate "/etc/racoon/keys";
|
||||
|
||||
listen {
|
||||
@ -36,7 +36,7 @@ remote 192.168.255.2 {
|
||||
dh_group modp1024;
|
||||
}
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## Se also
|
||||
|
||||
|
@ -5,14 +5,14 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
## Quickstart
|
||||
|
||||
* Install pim6sd from here: https://github.com/troglobit/pim6sd/
|
||||
````sh
|
||||
```sh
|
||||
cd /usr/src
|
||||
git clone https://github.com/troglobit/pim6sd.git
|
||||
cd pim6sd
|
||||
./autogen.sh
|
||||
./configure
|
||||
make
|
||||
````
|
||||
```
|
||||
* Find a peer who is already connected to the dn42 multicast backbone
|
||||
* Calculate your personal, embedded-RP multicast prefix matching your network prefix via [RFC3956](https://tools.ietf.org/html/rfc3956)
|
||||
* Example:
|
||||
@ -26,7 +26,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
|
||||
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/network/interfaces.d/pim6sd
|
||||
auto pim-router-id
|
||||
iface pim-router-id inet manual
|
||||
@ -34,11 +34,11 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
post-up ip link set multicast on dev $IFACE
|
||||
post-up ip -6 a a fd00:2001:db8::2/128 dev $IFACE
|
||||
post-down ip link del $IFACE
|
||||
````
|
||||
```
|
||||
|
||||
* Create the configuration file:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
# /etc/pim6sd.conf
|
||||
# disable all interfaces by default
|
||||
default_phyint_status disable;
|
||||
@ -52,7 +52,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
# configure rendezvous point for the personal multicast prefix
|
||||
cand_rp pim-router-id;
|
||||
group_prefix ff7e:230:fd00:2001:db8::/96;
|
||||
````
|
||||
```
|
||||
|
||||
The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.
|
||||
|
||||
@ -66,7 +66,7 @@ The following guide illustrates how to set up an IPv6 multicast router using [PI
|
||||
|
||||
On your router:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
allow-hotplug pim-ns0
|
||||
iface pim-ns0 inet manual
|
||||
pre-up ip link add pim-ns0 type veth peer name pim-ns1
|
||||
@ -78,24 +78,24 @@ iface pim-ns0 inet manual
|
||||
post-up ip netns exec pim-ns0 ip -6 r a default via fdd5:69d5:c530:1::1
|
||||
post-down ip link del pim-ns0
|
||||
post-down ip netns del pim-ns0
|
||||
````
|
||||
```
|
||||
|
||||
You can now switch into this test network namespace via "ip netns exec /bin/bash". Inside this network namespace you can try:
|
||||
|
||||
### Creating a test multicast listener
|
||||
|
||||
````
|
||||
```
|
||||
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
|
||||
````
|
||||
```
|
||||
|
||||
### Creating a test multicast sender
|
||||
|
||||
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
|
||||
|
||||
````
|
||||
```
|
||||
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
|
||||
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
|
||||
````
|
||||
```
|
||||
|
||||
The "-t 16", a hop-limit of 16, is important here as **by default all multicast traffic is usually send with a hop-limit of just 1**.
|
||||
|
||||
|
@ -65,10 +65,10 @@ Enter NPT. Address your services using a reserved private block, and map that bl
|
||||
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
|
||||
|
||||
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
|
||||
````
|
||||
```
|
||||
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
|
||||
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
### With Multiple Prefixes
|
||||
|
@ -1,7 +1,7 @@
|
||||
## Number of routes by AS
|
||||
|
||||
IPv4:
|
||||
````bash
|
||||
```bash
|
||||
#!/bin/bash
|
||||
if [ "$1" = "config" ];then
|
||||
echo graph_title Number of routes
|
||||
@ -14,10 +14,10 @@ if [ "$1" = "config" ];then
|
||||
else
|
||||
ip r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
|
||||
fi
|
||||
````
|
||||
```
|
||||
|
||||
IPv6:
|
||||
````bash
|
||||
```bash
|
||||
#!/bin/bash
|
||||
if [ "$1" = "config" ];then
|
||||
echo graph_title Number of routes
|
||||
@ -30,7 +30,7 @@ if [ "$1" = "config" ];then
|
||||
else
|
||||
ip -6 r|sed 's/.* dev //;s/ .*//'|sort|uniq -c|grep as|awk '{print $2".value "$1}'
|
||||
fi
|
||||
````
|
||||
```
|
||||
(hint: The difference just the -6 on the ip command)
|
||||
|
||||
## Graph routes and activity for every neighbour
|
||||
@ -39,19 +39,19 @@ This munin-plugin makes it very easy to graph the announced routes and activity
|
||||
https://github.com/luben/bird-multigraph-plugin
|
||||
|
||||
It's also possible to get notified by Munin when a problem with the peering persists. You have to define a critical value in line 138:
|
||||
````
|
||||
```
|
||||
imported.critical 1:
|
||||
````
|
||||
```
|
||||
This will send execute the command (set in munin-node.conf) to alert you, if the imported route count falls under 1.
|
||||
|
||||
You might also want to change line 125 from
|
||||
````
|
||||
```
|
||||
graph_title $proto->{title} routes
|
||||
````
|
||||
```
|
||||
to
|
||||
````
|
||||
```
|
||||
graph_title $name routes
|
||||
````
|
||||
```
|
||||
|
||||
Example installation:
|
||||
http://stats.tbspace.de/munin-cgi/munin-cgi-graph/tbspace.de/server.tbspace.de/dn42_crest_routes-day.png
|
@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
|
||||
|
||||
## local host
|
||||
Information such as ASN, router ID and allocated networks are required:
|
||||
````
|
||||
```
|
||||
# macros
|
||||
ASN="4242421234"
|
||||
|
||||
@ -27,21 +27,21 @@ router-id 1.2.3.4
|
||||
prefix-set mynetworks {
|
||||
fd00:12:34::/48
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
These can be used in subsequent filter rules.
|
||||
The local peer's announcements is then defined as follows:
|
||||
````
|
||||
```
|
||||
# Generate routes for the networks our ASN will originate.
|
||||
# The communities (read 'tags') are later used to match on what
|
||||
# is announced to EBGP neighbors
|
||||
network prefix-set mynetworks set large-community $ASN:1:1
|
||||
````
|
||||
```
|
||||
|
||||
## neighbors
|
||||
For each neighbor its ASN and transfer ULA is required.
|
||||
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
|
||||
````
|
||||
```
|
||||
# peer A, transport over IPSec/GRE
|
||||
$A_local="fd00:12:34:A::1"
|
||||
$A_remote="fd00:12:34:A::2"
|
||||
@ -53,7 +53,7 @@ neighbor $A_remote {
|
||||
remote-as $A_ASN
|
||||
descr "A"
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## filter rules
|
||||
**bgpd** blocks all BGP __UPDATE__ messages by default.
|
||||
@ -61,35 +61,35 @@ The filter rules are evaluated in sequential order, form first to last.
|
||||
The last matching allow or deny rule decides what action is taken.
|
||||
|
||||
Start off with basic protection and sanity rules:
|
||||
````
|
||||
```
|
||||
# deny more-specifics of our own originated prefixes
|
||||
deny quick from ebgp prefix-set mynetworks or-longer
|
||||
|
||||
# filter out too long paths, establish more peerings instead
|
||||
deny quick from any max-as-len 8
|
||||
````
|
||||
```
|
||||
|
||||
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
|
||||
|
||||
Allow own announcements:
|
||||
````
|
||||
```
|
||||
# Outbound EBGP: only allow self originated networks to ebgp peers
|
||||
# Don't leak any routes from upstream or peering sessions. This is done
|
||||
# by checking for routes that are tagged with the large-community $ASN:1:1
|
||||
allow to ebgp prefix-set kn large-community $ASN:1:1
|
||||
````
|
||||
```
|
||||
|
||||
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
|
||||
````
|
||||
```
|
||||
# enforce ROA
|
||||
allow from ebgp ovs valid
|
||||
````
|
||||
```
|
||||
|
||||
Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `ROA` section below.
|
||||
|
||||
### path attributes
|
||||
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
|
||||
````
|
||||
```
|
||||
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
|
||||
# https://tools.ietf.org/html/rfc7454#section-11
|
||||
match from ebgp set { large-community delete $ASN:*:* }
|
||||
@ -97,7 +97,7 @@ match from ebgp set { large-community delete $ASN:*:* }
|
||||
# Honor requests to gracefully shutdown BGP sessions
|
||||
# https://tools.ietf.org/html/rfc8326
|
||||
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
|
||||
````
|
||||
```
|
||||
|
||||
# ROA
|
||||
|
||||
@ -114,19 +114,19 @@ ROA files generated by [dn42regsrv](https://git.dn42.dev/burble/dn42regsrv) are
|
||||
|[https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf](https://dn42.burble.com/roa/dn42_roa_obgpd_6.conf) | IPv6 Only |
|
||||
|
||||
`/etc/dn42.roa-set` is the generated set:
|
||||
````
|
||||
```
|
||||
roa-set {
|
||||
fd00:12:34::/48 source-as 4242421234
|
||||
fd00:ab:cd::/44 maxlen 64 source-as 4242427890
|
||||
...
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
Include it in `/etc/bgpd.conf`:
|
||||
````
|
||||
```
|
||||
# defines roat-set, see _rpki-client crontab
|
||||
include "/etc/dn42.roa-set"
|
||||
````
|
||||
```
|
||||
|
||||
# Looking glass
|
||||
This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.
|
||||
|
@ -98,7 +98,7 @@ Apply a prefix list for incoming prefixes to your peer group:
|
||||
ipv6 prefix-list vpn-in seq 15 deny any
|
||||
|
||||
#### Example filter list script
|
||||
````
|
||||
```
|
||||
#!/bin/bash
|
||||
|
||||
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
|
||||
@ -109,7 +109,7 @@ do
|
||||
done < <(curl -s https://ca.dn42.us/reg/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
|
||||
vtysh -c "wr" #write new prefix list
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
## show bpg session status
|
||||
|
||||
@ -118,7 +118,7 @@ in this example:
|
||||
* no (vpn) connection at all exists with peer 64692
|
||||
* a (vpn) connection with 4242421375 exists, but no bgp session
|
||||
|
||||
````
|
||||
```
|
||||
vtysh> show ip bgp summary
|
||||
BGP router identifier 172.22.100.254, local AS number 64698
|
||||
RIB entries 938, using 103 KiB of memory
|
||||
@ -132,4 +132,4 @@ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
|
||||
....
|
||||
172.23.64.1 4 4242421375 0 0 0 0 0 never Active
|
||||
fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486
|
||||
````
|
||||
```
|
@ -19,13 +19,13 @@ The signature and verification process varies depending on the type of public ke
|
||||
#### Finding the commit hash
|
||||
|
||||
`git log` will list all the recent commits and show the commit hash:
|
||||
````
|
||||
```
|
||||
commit 6e2e9ac540e2e4e3c3a135ad90c8575bb8fa1784 (HEAD -> master)
|
||||
Author: foo <foo@baz.com>
|
||||
Date: Mon Jan 01 01:01:01 2020 +0000
|
||||
|
||||
Change some stuff
|
||||
````
|
||||
```
|
||||
|
||||
## Authentication with PGP Key
|
||||
|
||||
@ -34,9 +34,9 @@ PGP keys may be uploaded to a public keyserver for verification, or added in the
|
||||
#### Using a public keyserver
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
````
|
||||
```
|
||||
auth: pgp-fingerprint <fingerprint>
|
||||
````
|
||||
```
|
||||
Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
|
||||
|
||||
- Ensure that your public key has been uploaded to a public keyserver, e.g. [SKS](https://sks-keyservers.net/), [OpenPGP](https://keys.openpgp.org/), [keybase](https://keybase.io/).
|
||||
@ -44,9 +44,9 @@ Where `<fingerprint>` is your full 40-digit key fingerprint, without spaces.
|
||||
#### Adding to the registry
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
````
|
||||
```
|
||||
auth: PGPKEY-<fprint>
|
||||
````
|
||||
```
|
||||
Where `<fprint>` is the last 8 digits from your key fingerprint.
|
||||
|
||||
- Create a `key-cert` object for your public key, using `PGPKEY-<fprint>` for the filename. Do browse the registry and check the existing objects for examples.
|
||||
@ -56,9 +56,9 @@ Where `<fprint>` is the last 8 digits from your key fingerprint.
|
||||
- Use `git commit -S` to commit and sign your change. See the [github guide](https://help.github.com/en/github/authenticating-to-github/signing-commits).
|
||||
|
||||
- If you have already committed your change, you can sign it using.
|
||||
````
|
||||
```
|
||||
git commit --amend --no-edit -S
|
||||
````
|
||||
```
|
||||
|
||||
#### Verifying the signature
|
||||
|
||||
@ -67,9 +67,9 @@ git commit --amend --no-edit -S
|
||||
## Authentication using an SSH key
|
||||
|
||||
The generic format for authentication using an SSH key is as follows:
|
||||
````
|
||||
```
|
||||
auth: ssh-<keytype> <pubkey>
|
||||
````
|
||||
```
|
||||
There are examples below for each specific key type.
|
||||
|
||||
#### Generic process for signing with an SSH key
|
||||
@ -77,9 +77,9 @@ There are examples below for each specific key type.
|
||||
OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).
|
||||
|
||||
Use the following to sign the latest `<commit hash>` (that you found using `git log`)
|
||||
````sh
|
||||
```sh
|
||||
echo "<commit hash>" | ssh-keygen -Y sign -f <private key file> -n dn42
|
||||
````
|
||||
```
|
||||
|
||||
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
|
||||
|
||||
@ -88,25 +88,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
|
||||
The following procedure will verify the signature (using the `<commit hash>`, your `<pubkey>` and the `<signature>` generated in the previous step.
|
||||
|
||||
Create a temporary file containing the signature
|
||||
````sh
|
||||
```sh
|
||||
echo "<signature>" > sig.tmp
|
||||
````
|
||||
```
|
||||
Create a temporary 'allowed users' file
|
||||
````sh
|
||||
```sh
|
||||
echo "YOU-MNT ssh-<keytype> <pubkey>" > allowed.tmp
|
||||
````
|
||||
```
|
||||
Verify the signature
|
||||
````sh
|
||||
```sh
|
||||
echo "<commit hash>" | \
|
||||
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
|
||||
````
|
||||
```
|
||||
|
||||
### Authentication with an SSH RSA key
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
````
|
||||
```
|
||||
auth: ssh-rsa <pubkey>
|
||||
````
|
||||
```
|
||||
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
|
||||
|
||||
#### Signing your commits
|
||||
@ -114,19 +114,19 @@ Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
|
||||
If you cannot use the generic SSH process described above then RSA signatures can also be created using openssl.
|
||||
|
||||
Use the following to sign your `<commit hash>` (that you found using `git log`)
|
||||
````sh
|
||||
```sh
|
||||
openssl pkeyutl \
|
||||
-sign \
|
||||
-inkey ~/.ssh/id_rsa \
|
||||
-in <(echo "<commit hash>") | base64
|
||||
````
|
||||
```
|
||||
|
||||
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
|
||||
|
||||
#### Verifying the signature
|
||||
|
||||
The following script will verify the signature (using the `<commit hash>`, your rsa `<pubkey>` and the `<signature>` generated in the previous step.
|
||||
````sh
|
||||
```sh
|
||||
openssl pkeyutl \
|
||||
-verify \
|
||||
-pubin \
|
||||
@ -137,14 +137,14 @@ openssl pkeyutl \
|
||||
-f <(echo "ssh-rsa <pubkey>")\
|
||||
) \
|
||||
-sigfile <(echo "<signature>" | base64 -d)
|
||||
````
|
||||
```
|
||||
|
||||
### Authentication with an SSH ed25519 key
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
````
|
||||
```
|
||||
auth: ssh-ed25519 <pubkey>
|
||||
````
|
||||
```
|
||||
Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
|
||||
|
||||
#### Signing your commits
|
||||
@ -152,9 +152,9 @@ Where `<pubkey>` is the ssh public key copied from your id_ed25519.pub file.
|
||||
There is no alternative process for signing using ed25519 keys, you must use the generic process described above. The process only works with ssh-keygen versions >= v8.
|
||||
|
||||
Use the following to sign your `<commit hash>` (that you found using `git log`)
|
||||
````sh
|
||||
```sh
|
||||
echo "<commit hash>" | ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n dn42
|
||||
````
|
||||
```
|
||||
|
||||
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
|
||||
|
||||
@ -163,25 +163,25 @@ Post the signature in to the 'Conversation' section of your pull request to allo
|
||||
The following procedure will verify the signature (using the `<commit hash>`, your ed25519 `<pubkey>` and the `<signature>` generated in the previous step.
|
||||
|
||||
Create a temporary file containing the signature
|
||||
````sh
|
||||
```sh
|
||||
echo "<signature>" > sig.tmp
|
||||
````
|
||||
```
|
||||
Create a temporary 'allowed users' file
|
||||
````sh
|
||||
```sh
|
||||
echo "YOU-MNT ssh-ed25519 <pubkey>" > allowed.tmp
|
||||
````
|
||||
```
|
||||
Verify the signature
|
||||
````sh
|
||||
```sh
|
||||
echo "<commit hash>" | \
|
||||
ssh-keygen -Y verify -f allowed.tmp -n dn42 -I YOU-MNT -s sig.tmp
|
||||
````
|
||||
```
|
||||
|
||||
### Authentication with an SSH ecdsa key
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
````
|
||||
```
|
||||
auth: ecdsa-sha2-nistp256 <pubkey>
|
||||
````
|
||||
```
|
||||
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
|
||||
|
||||
#### Signing your commits
|
||||
@ -193,23 +193,23 @@ Make a copy and use the copy as the ssh-keygen command below will overwrite the
|
||||
|
||||
Convert your private ssh key to a file that openssl can read:
|
||||
**DO THIS ON A COPY OF YOUR SSH KEY**
|
||||
````sh
|
||||
```sh
|
||||
ssh-keygen -p -m pem -f <private key file copy>
|
||||
````
|
||||
```
|
||||
|
||||
Sign the commit hash using your ecdsa key, using openssl:
|
||||
````sh
|
||||
```sh
|
||||
openssl pkeyutl -sign \
|
||||
-inkey <converted key file> \
|
||||
-in <(echo "<commit hash>") | base64
|
||||
````
|
||||
```
|
||||
|
||||
Post the signature in to the 'Conversation' section of your pull request to allow the registry maintainers to verify it. It can help to also include the commit hash that you have signed, to avoid any confusion.
|
||||
|
||||
#### Verifying the signature
|
||||
|
||||
The following script will verify the signature (using the `<commit hash>`, your ecdsa `<pubkey>` and the `<signature>` generated in the previous step.
|
||||
````sh
|
||||
```sh
|
||||
openssl pkeyutl \
|
||||
-verify \
|
||||
-pubin \
|
||||
@ -220,4 +220,4 @@ openssl pkeyutl \
|
||||
-f <(echo "ecdsa-sha2-nistp256 <pubkey>")\
|
||||
) \
|
||||
-sigfile <(echo "<signature>" | base64 -d)
|
||||
````
|
||||
```
|
||||
|
@ -1,6 +1,6 @@
|
||||
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
|
||||
|
||||
````
|
||||
```
|
||||
@echo off
|
||||
REM fill in YOUR network information
|
||||
REM right click and RUN AS ADMIN
|
||||
@ -60,4 +60,4 @@ ping %gateway4%
|
||||
pause
|
||||
ping %gateway6%
|
||||
pause
|
||||
````
|
||||
```
|
@ -30,26 +30,26 @@ Peer most likely provided you with encryption details.
|
||||
If not, ask them about it.
|
||||
Here we're gonna use aes256-sha256-modp1536
|
||||
|
||||
````
|
||||
```
|
||||
/ip ipsec peer
|
||||
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
|
||||
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
|
||||
|
||||
````
|
||||
````
|
||||
```
|
||||
```
|
||||
/ip ipsec policy
|
||||
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
|
||||
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
|
||||
````
|
||||
```
|
||||
|
||||
### GRE
|
||||
Pretty straightforward here
|
||||
|
||||
````
|
||||
```
|
||||
/interface gre
|
||||
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
|
||||
remote-address=1.1.1.1
|
||||
````
|
||||
```
|
||||
|
||||
### IPs inside the GRE tunnel
|
||||
Your peer most likely provided you with IP adresses for GRE tunnel.
|
||||
@ -60,18 +60,18 @@ Add the IP your peer provided you:
|
||||
|
||||
#### IPv4
|
||||
|
||||
````
|
||||
```
|
||||
/ip address
|
||||
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
|
||||
````
|
||||
```
|
||||
|
||||
#### IPv6
|
||||
Here we can use /127, so it's simple:
|
||||
|
||||
````
|
||||
```
|
||||
/ipv6 address
|
||||
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
|
||||
````
|
||||
```
|
||||
|
||||
If you configured everything correctly, you should be able to ping
|
||||
|
||||
@ -83,74 +83,74 @@ In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
|
||||
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
|
||||
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
|
||||
|
||||
````
|
||||
```
|
||||
/routing filter
|
||||
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
|
||||
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
|
||||
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
|
||||
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
|
||||
````
|
||||
```
|
||||
|
||||
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
|
||||
|
||||
````
|
||||
```
|
||||
/routing filter
|
||||
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
|
||||
````
|
||||
```
|
||||
|
||||
### BGP
|
||||
Now, for actual BGP configuration.
|
||||
|
||||
````
|
||||
```
|
||||
/routing bgp instance
|
||||
set default disabled=yes
|
||||
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
|
||||
router-id=1.1.1.1
|
||||
````
|
||||
```
|
||||
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
|
||||
|
||||
IPv4:
|
||||
|
||||
````
|
||||
```
|
||||
/routing bgp peer
|
||||
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
|
||||
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
|
||||
route-reflect=yes ttl=default
|
||||
````
|
||||
```
|
||||
IPv6 (if needed):
|
||||
|
||||
````
|
||||
```
|
||||
/routing bgp peer
|
||||
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
|
||||
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
|
||||
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
|
||||
````
|
||||
```
|
||||
|
||||
Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
|
||||
|
||||
### BGP Advertisements
|
||||
You want to advertise your allocated network (most likely), it's very simple:
|
||||
|
||||
````
|
||||
```
|
||||
/routing bgp network
|
||||
add network=YOUR_ALLOCATED_SUBNET synchronize=no
|
||||
````
|
||||
```
|
||||
You can repeat that with as much IPv4 and IPv6 networks which you own.
|
||||
|
||||
## Split DNS
|
||||
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.
|
||||
Change network and LAN GW to mach your network configuration.
|
||||
|
||||
````
|
||||
```
|
||||
/ip firewall layer7-protocol
|
||||
add name=DN42-DNS regexp="\\x04dn42.\\x01"
|
||||
/ip firewall nat
|
||||
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
|
||||
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
|
||||
|
||||
````
|
||||
```
|
||||
Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
|
||||
````
|
||||
```
|
||||
/ip dns static
|
||||
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
|
||||
````
|
||||
```
|
@ -22,49 +22,49 @@ How can we workaround these issues? Simple. We setup a /32 on the Point-to-Point
|
||||
|
||||
You create the GRE interface in the same way the [Mikrotik Guide](/howto/mikrotik) does.
|
||||
|
||||
````
|
||||
```
|
||||
/interface gre
|
||||
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
|
||||
remote-address=1.1.1.1
|
||||
````
|
||||
```
|
||||
|
||||
Next you add the /32 address on the interface. You can install this address on a loop interface (on RouterOS this means an empty bridge) if you plan to use the same address over several GRE tunnels or other OpenVPN interfaces.
|
||||
|
||||
````
|
||||
```
|
||||
/ip address add address=172.24.0.1/32 interface=gre-dn42-peer
|
||||
````
|
||||
```
|
||||
|
||||
Next, we add the direct route as next-hop using the interface
|
||||
|
||||
````
|
||||
```
|
||||
/ip route add distance=1 dst-address=172.26.2.2/32 gateway=gre-dn42-peer pref-src=172.24.0.1
|
||||
````
|
||||
```
|
||||
|
||||
At this point, the ping with the peer should work. Also, the bgp session can be established, but the routes will not work. We need a input filter to fix the next-hop routes.
|
||||
|
||||
````
|
||||
```
|
||||
/routing filter add chain=bgp-dn42-peer-in protocol=bgp set-in-nexthop-direct=gre-dn42-peer
|
||||
````
|
||||
```
|
||||
|
||||
if you have other global input chain filters, you should add a jump in the same chain, like this:
|
||||
````
|
||||
```
|
||||
/routing filter add action=jump chain=bgp-dn42-peer-in protocol=bgp jump-target=bgp-global-dn42-input
|
||||
````
|
||||
```
|
||||
|
||||
If you haven't created the BGP session, create it now from the [Mikrotik guide](/howto/mikrotik#how-to-connect-to-dn42-using-mikrotik-routeros_bgp). Change the peer input filter to use the chain we've just created:
|
||||
|
||||
````
|
||||
```
|
||||
/routing bgp peer set bgp-dn42-somename in-filter=bgp-dn42-peer-in
|
||||
````
|
||||
```
|
||||
|
||||
With this fix, all the routes will have set next-hop the GRE interface and there will be no need to use RouterOS' recursive route resolve.
|
||||
|
||||
Check the routes with:
|
||||
````
|
||||
```
|
||||
/ip routes print detail where received-from=bgp-dn42-somename
|
||||
````
|
||||
```
|
||||
|
||||
There should an attribute like:
|
||||
````
|
||||
```
|
||||
gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable
|
||||
````
|
||||
```
|
@ -13,24 +13,24 @@ That is why `rp_filter` needs to be disabled.
|
||||
|
||||
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
|
||||
|
||||
````
|
||||
```
|
||||
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
|
||||
````
|
||||
```
|
||||
|
||||
Check that its really disabled:
|
||||
````
|
||||
```
|
||||
sysctl -a | grep rp_filter
|
||||
````
|
||||
```
|
||||
|
||||
Also the following options must be set.
|
||||
````
|
||||
```
|
||||
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
|
||||
````
|
||||
```
|
||||
|
||||
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
|
||||
````
|
||||
```
|
||||
$ sysctl -a | grep forwarding
|
||||
````
|
||||
```
|
||||
|
||||
### Note on firewalls, conntrack and asymmetric routing
|
||||
|
||||
|
@ -10,7 +10,7 @@
|
||||
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
|
||||
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
|
||||
|
||||
````
|
||||
```
|
||||
#/etc/openvpn/<PEER_NAME>
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
@ -35,19 +35,19 @@ secret /etc/openvpn/<PEER_NAME>.key
|
||||
# <secret>
|
||||
# ... Key File contents go here ...
|
||||
# </secret>
|
||||
````
|
||||
```
|
||||
|
||||
then create a new key and share it with your peer
|
||||
|
||||
````
|
||||
```
|
||||
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
|
||||
````
|
||||
```
|
||||
|
||||
# Example Configuration if one peer has a floating ip
|
||||
|
||||
## peer with fixed ip
|
||||
|
||||
````
|
||||
```
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
dev-type tun
|
||||
@ -63,7 +63,7 @@ port <LOCAL_PORT>
|
||||
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>
|
||||
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
|
||||
secret /etc/openvpn/<PEER_NAME>.key
|
||||
````
|
||||
```
|
||||
|
||||
## peer with floating ip
|
||||
|
||||
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
|
||||
* `<REMOTE_HOST>` is the ip address of your peer
|
||||
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
|
||||
|
||||
````
|
||||
```
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
remote <REMOTE_HOST>
|
||||
@ -89,7 +89,7 @@ resolv-retry infinite
|
||||
ifconfig <LOCAL_GATEWAY_IP> <REMOTE_GATEWAY_IP>
|
||||
ifconfig-ipv6 <LOCAL_GATEWAY_IPV6> <LOCAL_GATEWAY_IPV6>
|
||||
secret /etc/openvpn/<PEER_NAME>.key
|
||||
````
|
||||
```
|
||||
|
||||
# Example configuration for connecting roaming clients to dn42
|
||||
|
||||
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
|
||||
|
||||
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
|
||||
|
||||
````
|
||||
```
|
||||
mode server
|
||||
tls-server
|
||||
|
||||
@ -146,13 +146,13 @@ push "route-gateway 172.22.X.145"
|
||||
push "route 172.22.0.0 255.254.0.0"
|
||||
###push "route 172.31.0.0 255.255.0.0"
|
||||
###push "route 10.0.0.0 255.0.0.0"
|
||||
````
|
||||
```
|
||||
|
||||
## Client configuration
|
||||
|
||||
Change `<SERVER>` and `<PORT>`.
|
||||
|
||||
````
|
||||
```
|
||||
client
|
||||
|
||||
ca ca.crt
|
||||
@ -176,7 +176,7 @@ persist-tun
|
||||
resolv-retry infinite
|
||||
|
||||
verb 3
|
||||
````
|
||||
```
|
||||
|
||||
## Certificate management
|
||||
|
||||
@ -184,7 +184,7 @@ Use easy-rsa, it's easy to use. Below is a very short description, find a real
|
||||
|
||||
Build the CA: `. vars`, `./build-ca`, then generate the server key: `./build-key-server roaming-dn42`.
|
||||
|
||||
Then, for each client, generate a private key and a certificate: ````./build-key myclient````. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
|
||||
Then, for each client, generate a private key and a certificate: ```./build-key myclient```. The Common Name is the only important information (it will be used to identify the client, for instance in the logs).
|
||||
|
||||
# See also
|
||||
* [Network settings](https://internal.dn42/howto/networksettings)
|
||||
|
@ -5,16 +5,16 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
|
||||
# Configuration
|
||||
|
||||
## loopback device (lo.network)
|
||||
````
|
||||
```
|
||||
[Match]
|
||||
Name=lo
|
||||
|
||||
[Network]
|
||||
Address=fdff:b02d:2ef7::2/128
|
||||
````
|
||||
```
|
||||
|
||||
## wireguard netdev (dn42p1.netdev)
|
||||
````
|
||||
```
|
||||
[NetDev]
|
||||
Name = dn42p1
|
||||
Kind = wireguard
|
||||
@ -28,10 +28,10 @@ PrivateKeyFile = /etc/wireguard/private.key
|
||||
PublicKey = <peer wg pubkey>
|
||||
Endpoint = <peer wg endpoint>:<peer wg port>
|
||||
AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
|
||||
````
|
||||
```
|
||||
|
||||
## wireguard network (dn42p1.network)
|
||||
````
|
||||
```
|
||||
[Match]
|
||||
Name = dn42p1
|
||||
|
||||
@ -43,4 +43,4 @@ Peer = <peer tunnel linklocal address>/128
|
||||
Address = <your DN42 ipv4>/32
|
||||
Peer = <peer DN42 ipv4>/32
|
||||
|
||||
````
|
||||
```
|
@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
|
||||
|
||||
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
|
||||
|
||||
````
|
||||
```
|
||||
Interface = dn42_yourpeer
|
||||
Name = your_host
|
||||
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
|
||||
@ -19,14 +19,14 @@ Mode = switch
|
||||
ConnectTo = remote_host
|
||||
# In newer versions (>= 1.1) you can use AutoConnect instead
|
||||
#AutoConnect = yes
|
||||
````
|
||||
```
|
||||
|
||||
Tinc requires to add manually ip addresses and routes to the tap/tun interfaces. On startup it will execute `/etc/tinc/dn42_yourpeer/tinc-up` if it exists **and** is executable:
|
||||
|
||||
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
|
||||
|
||||
**Linux/iproute2**
|
||||
````
|
||||
```
|
||||
#!/bin/sh
|
||||
|
||||
# set the interface up
|
||||
@ -38,19 +38,19 @@ ip addr add fe80::1/64 dev $INTERFACE
|
||||
|
||||
# add routes
|
||||
ip route add 172.16.0.1/30 dev $INTERFACE table peers
|
||||
````
|
||||
```
|
||||
|
||||
For authentication tinc uses public key authentication instead of certificates or pre-shared keys.
|
||||
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
|
||||
is required. To generate a public/private key pair use:
|
||||
|
||||
````
|
||||
```
|
||||
$ tincd -K
|
||||
````
|
||||
```
|
||||
|
||||
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
|
||||
|
||||
````
|
||||
```
|
||||
# address/port are optional, in case they're missing you only expect connections from that host
|
||||
Address = <fqdn/ip_addr>
|
||||
Port = <port|655>
|
||||
@ -62,7 +62,7 @@ tcJpbgbYRzBTUPdSL3OB8k0qlmFI2ZYTnCzOSpgxRQARIB1ecoqOYVxQISK2pzxi
|
||||
MHQQlVbquwldaKiVoj7tD7PFW4oQxpiMHZnHIA6dnZCsT3ktTOzCjhf2XMi8o8u5
|
||||
P9C5dYrmVWrVAWQznlbuq/w1z+PrTYquoQIDAQAB
|
||||
-----END RSA PUBLIC KEY-----
|
||||
````
|
||||
```
|
||||
|
||||
## Fun with tinc-pre
|
||||
|
||||
@ -74,21 +74,21 @@ Installation:
|
||||
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
|
||||
|
||||
Set up a new tinc network
|
||||
````
|
||||
```
|
||||
# tinc -n dn42_yourpeer init dn42_yourself
|
||||
````
|
||||
```
|
||||
|
||||
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
|
||||
````
|
||||
```
|
||||
$ tinc invite yourpeer
|
||||
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
|
||||
````
|
||||
```
|
||||
|
||||
On the other node you can join by using:
|
||||
|
||||
````
|
||||
```
|
||||
$ tinc join <invitation-url>
|
||||
````
|
||||
```
|
||||
|
||||
This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.
|
||||
|
||||
|
@ -7,18 +7,18 @@ It can be downloaded here https://www.vyos.io/rolling-release/.
|
||||
We will configure firewall access lists for inbound connections on our peer Wireguard interfaces as well as block all inbound connections to our router with the exception of BGP. This should be a good baseline firewall ruleset to filter inbound traffic on your network’s edge. Modifications may be needed depending on your specific goals. If your router has an uplink back to a larger internal network (outside of DN42), an outbound firewall ruleset will need to be applied to that interface. The examples here only cover **IPv4**, but the same concepts can be applied to **IPv6** rulesets.
|
||||
|
||||
By default, VyOS is a **stateless** firewall. To enable **stateful** packet inspection globally enter the following commands.
|
||||
````
|
||||
```
|
||||
set firewall state-policy established action 'accept'
|
||||
set firewall state-policy related action 'accept'
|
||||
````
|
||||
```
|
||||
|
||||
We also need to accept invalids on our network’s edge. However, this should not become common practice elsewhere.
|
||||
````
|
||||
```
|
||||
set firewall state-policy invalid action 'accept'
|
||||
````
|
||||
```
|
||||
|
||||
The below commands create **in** and **local** baseline templates to be applied to all Wireguard interfaces that are facing peers. In this example, **172.20.20.0/24** is your assigned address space.
|
||||
````
|
||||
```
|
||||
#Create Groups
|
||||
set firewall group network-group Allowed-Transit-v4 network '10.0.0.0/8'
|
||||
set firewall group network-group Allowed-Transit-v4 network '172.20.0.0/14'
|
||||
@ -59,17 +59,17 @@ set firewall name Tunnels_Local_v4 rule 98 state invalid 'enable'
|
||||
set firewall name Tunnels_Local_v4 rule 99 action 'drop'
|
||||
set firewall name Tunnels_Local_v4 rule 99 description 'Black Hole'
|
||||
set firewall name Tunnels_Local_v4 rule 99 log 'enable'
|
||||
````
|
||||
```
|
||||
|
||||
## Wireguard
|
||||
### Setup Keys
|
||||
````
|
||||
```
|
||||
generate wireguard default-keypair
|
||||
show wireguard keypairs pubkey default
|
||||
````
|
||||
```
|
||||
_Grab your public key and save it for later. This will be shared with peers._
|
||||
### Configure First Peer
|
||||
````
|
||||
```
|
||||
#Your DN42 Address
|
||||
set interfaces wireguard wg92 address '172.20.20.1/32'
|
||||
|
||||
@ -93,7 +93,7 @@ set interfaces wireguard wg92 port '12345'
|
||||
|
||||
#Set static interface route to first peers /32 DN42 IPv4 on their tunnel endpoint
|
||||
set protocols static interface-route 172.20.50.1/32 next-hop-interface wg92
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
|
||||
@ -119,9 +119,9 @@ _Your peers ASN_
|
||||
###Setup RPKI Caching Server
|
||||
Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
|
||||
|
||||
````
|
||||
```
|
||||
sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
|
||||
````
|
||||
```
|
||||
|
||||
This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
|
||||
|
||||
@ -133,24 +133,24 @@ This will start a docker container that listens on the host server's IP at port
|
||||
You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
|
||||
|
||||
###Create Route Map
|
||||
````
|
||||
```
|
||||
set policy route-map DN42-ROA rule 10 action 'permit'
|
||||
set policy route-map DN42-ROA rule 10 match rpki 'valid'
|
||||
set policy route-map DN42-ROA rule 20 action 'permit'
|
||||
set policy route-map DN42-ROA rule 20 match rpki 'notfound'
|
||||
set policy route-map DN42-ROA rule 30 action 'deny'
|
||||
set policy route-map DN42-ROA rule 30 match rpki 'invalid'
|
||||
````
|
||||
```
|
||||
This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
|
||||
###Assign Route Map to Neighbor
|
||||
````
|
||||
```
|
||||
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA
|
||||
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
|
||||
````
|
||||
```
|
||||
|
||||
## Example Route Map
|
||||
### No RPKI/ROA and Internal Network Falls Into DN42 Range
|
||||
````
|
||||
```
|
||||
##Build prefix list to match personal internal network
|
||||
set policy prefix-list BlockIPConflicts description 'Prevent Conflicting Routes'
|
||||
set policy prefix-list BlockIPConflicts rule 10 action 'permit'
|
||||
@ -207,7 +207,7 @@ set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-
|
||||
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv4-unicast route-map import 'Default-Peering'
|
||||
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map export 'Default-Peering'
|
||||
set protocols bgp 4242421099 neighbor x.x.x.x address-family ipv6-unicast route-map import 'Default-Peering'
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
This page is a work-in-progress by Owens Research. If you have any suggestions or questions please reach out.
|
@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
|
||||
|
||||
First generate on each peer public and private keys.
|
||||
|
||||
````
|
||||
```
|
||||
$ wg genkey | tee privatekey | wg pubkey > publickey
|
||||
````
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
````
|
||||
```
|
||||
# tunnel.conf
|
||||
[Interface]
|
||||
PrivateKey = <private_key>
|
||||
@ -31,14 +31,14 @@ Endpoint = <end_point_hostname_or_ip:port>
|
||||
# however it is easier to do this with iptables/bgp filters/routing table
|
||||
# instead just like for openvpn-based peerings
|
||||
AllowedIPs = 0.0.0.0/0,::/0
|
||||
````
|
||||
```
|
||||
|
||||
## Configure tunnel:
|
||||
|
||||
Wireguard comes with its own interface type.
|
||||
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
|
||||
|
||||
````
|
||||
```
|
||||
$ ip link add dev <interface_name> type wireguard
|
||||
$ wg setconf <interface_name> tunnel.conf
|
||||
# both side pick a different link-local ipv6 address
|
||||
@ -46,7 +46,7 @@ $ ip addr add fe80::<some_random_suffix>/64 dev <interface_name>
|
||||
# choose the first ip from your subnet and the second one from the peer
|
||||
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
|
||||
$ ip link set <interface_name> up
|
||||
````
|
||||
```
|
||||
|
||||
<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->
|
||||
|
||||
@ -54,9 +54,9 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
|
||||
|
||||
## Testing
|
||||
|
||||
````
|
||||
```
|
||||
ping fe80::<your_peers_suffix>%<interface_name>
|
||||
````
|
||||
```
|
||||
|
||||
(For older iputils, use `ping6`.)
|
||||
|
||||
@ -68,15 +68,15 @@ The wireguard kernel module on linux has support for enabling dynamic debugging.
|
||||
|
||||
Debug messages are logged via dmesg and can be enabled using:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
$ echo 'module wireguard +p' > /sys/kernel/debug/dynamic_debug/control
|
||||
````
|
||||
```
|
||||
|
||||
To disable debug:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
$ echo 'module wireguard -p' > /sys/kernel/debug/dynamic_debug/control
|
||||
````
|
||||
```
|
||||
|
||||
## wg-quick
|
||||
|
||||
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
|
||||
|
||||
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
|
||||
|
||||
````
|
||||
```
|
||||
[Interface]
|
||||
PrivateKey = <your private key>
|
||||
Address = <your link-local address, if any>
|
||||
@ -106,7 +106,7 @@ Table = off
|
||||
Endpoint = <your peer's wireguard endpoint>
|
||||
PublicKey = <your peer's public key>
|
||||
AllowedIPs = 172.16.0.0/12, 10.0.0.0/8, fd00::/8, fe80::/10
|
||||
````
|
||||
```
|
||||
Use `which ip` to get the full path to your ip binary.
|
||||
|
||||
## systemd-networkd
|
||||
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
|
||||
Example configuration for systemd-networkd.
|
||||
|
||||
peer.netdev
|
||||
````text
|
||||
```text
|
||||
[NetDev]
|
||||
Name=<ifname>
|
||||
Kind=wireguard
|
||||
@ -131,10 +131,10 @@ Endpoint=<peer host and port, e.g. 1.2.3.4:9876>
|
||||
AllowedIPs=fe80::/64
|
||||
AllowedIPs=fd00::/8
|
||||
AllowedIPs=0.0.0.0/0
|
||||
````
|
||||
```
|
||||
|
||||
peer.network
|
||||
````text
|
||||
```text
|
||||
[Match]
|
||||
Name=<ifname>
|
||||
|
||||
@ -165,5 +165,5 @@ Peer=<your peer's IPv6 address>/128
|
||||
[Address]
|
||||
Address=<your IPv4 address>/32
|
||||
Peer=<your peer's IPv4 address>/32
|
||||
````
|
||||
```
|
||||
|
||||
|
@ -84,23 +84,23 @@ Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure de
|
||||
|
||||
### ipfs
|
||||
bootstrap peers
|
||||
````
|
||||
```
|
||||
/ip4/172.20.161.135/tcp/4001/ipfs/QmYgD1wdPjx5oWzYJ195K84PqAXRnw9mcqbyZYAdXfaYkD
|
||||
/ip4/172.20.52.220/tcp/4001/ipfs/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc
|
||||
````
|
||||
```
|
||||
test hashes
|
||||
````
|
||||
```
|
||||
/ipfs/QmQ7psrGrXS3GFNC4BtU6pJXq6G7ps5NbYrhS2VYFufj9T
|
||||
/ipfs/QmYLapmcSU7q93Ta4eHMh8fq9ios2HTSdbpHDRQwGG6ocJ
|
||||
````
|
||||
```
|
||||
cdn (currently only jquery
|
||||
````
|
||||
```
|
||||
/ipns/QmW5ZhZFav8MZLJyvKuK6pKaR4vnQ5MVHfXY3LuMXqa4kc/cdn/jquery
|
||||
````
|
||||
```
|
||||
Until browsers have ipfs access (either through native support or js), one can use the http gateway
|
||||
````
|
||||
```
|
||||
https://rest.dn42/
|
||||
````
|
||||
```
|
||||
|
||||
### Torrent Search Engine
|
||||
|
||||
|
@ -90,7 +90,7 @@ Read more on this [stack exchange post][osx-2]
|
||||
How to Run
|
||||
==========
|
||||
|
||||
````
|
||||
```
|
||||
Usage: # OWNER is your MNT handle.
|
||||
./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key
|
||||
./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12
|
||||
@ -104,14 +104,14 @@ Revoke Reasons: unspecified, keyCompromise, affiliationChanged,
|
||||
|
||||
Environtment Options:
|
||||
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
|
||||
````
|
||||
```
|
||||
|
||||
Example
|
||||
=======
|
||||
|
||||
Generate the user key
|
||||
|
||||
````
|
||||
```
|
||||
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
|
||||
Generating a 2048 bit RSA private key
|
||||
...............................+++
|
||||
@ -122,11 +122,11 @@ writing new private key to 'XUU-MNT.key'
|
||||
= You need to have this pin added to your mnt object before proceeding to the next step.
|
||||
=
|
||||
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
|
||||
````
|
||||
```
|
||||
|
||||
## Sign the user key
|
||||
|
||||
`````
|
||||
````
|
||||
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
@ -139,11 +139,11 @@ $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
|
||||
OK https://ca.dn42/crt/XUU-MNT.crt
|
||||
Enter Export Password:
|
||||
Verifying - Enter Export Password:
|
||||
````
|
||||
```
|
||||
|
||||
## Generate the server key
|
||||
|
||||
````
|
||||
```
|
||||
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
|
||||
|
||||
Generating a 2048 bit RSA private key
|
||||
@ -156,18 +156,18 @@ writing RSA key
|
||||
= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step.
|
||||
=
|
||||
_dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=
|
||||
````
|
||||
```
|
||||
|
||||
After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own):
|
||||
|
||||
````
|
||||
```
|
||||
$ dig +short TXT _dn42_tlsverify.ca.dn42.
|
||||
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
|
||||
````
|
||||
```
|
||||
|
||||
## Sign the server key
|
||||
|
||||
````
|
||||
```
|
||||
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
@ -191,17 +191,17 @@ $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
|
||||
OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt
|
||||
Enter Export Password: ****
|
||||
Verifying - Enter Export Password: ****
|
||||
````
|
||||
```
|
||||
|
||||
The generated certificate will be valid for 3 months, to renew it simply run ````./ca.dn42 tls-sign ca.dn42 XUU-MNT```` again. This could be also automated in cron:
|
||||
The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
|
||||
|
||||
````
|
||||
```
|
||||
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
|
||||
````
|
||||
```
|
||||
|
||||
or with a systemd timer:
|
||||
|
||||
````
|
||||
```
|
||||
# update-dn42-ca.timer
|
||||
[Timer]
|
||||
OnBootSec=1h
|
||||
@ -210,9 +210,9 @@ Persistent=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
````
|
||||
```
|
||||
|
||||
````
|
||||
```
|
||||
[Service]
|
||||
Type=oneshot
|
||||
WorkingDirectory=/etc/ssl/dn42
|
||||
@ -220,11 +220,11 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
|
||||
# accept multiple ExecStart lines for other certificates
|
||||
#ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT
|
||||
ExecStart=/usr/bin/nginx -s reload
|
||||
````
|
||||
```
|
||||
|
||||
## Revoke a certificate.
|
||||
|
||||
````
|
||||
```
|
||||
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
@ -236,7 +236,7 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
|
||||
pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
|
||||
== REVOKE CERT ==
|
||||
OK
|
||||
````
|
||||
```
|
||||
|
||||
## Certificate transparency
|
||||
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
|
@ -5,7 +5,7 @@ If you would like to have a certificate signed by this CA there is [an automated
|
||||
|
||||
The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):
|
||||
|
||||
````
|
||||
```
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
@ -95,21 +95,21 @@ P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
|
||||
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
|
||||
C0IKqQ==
|
||||
-----END CERTIFICATE-----
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
## Testing constraints
|
||||
|
||||
The name constraints can be verified for example by using openssl:
|
||||
````
|
||||
```
|
||||
openssl x509 -in dn42.crt -text -noout
|
||||
````
|
||||
```
|
||||
which will show among other things:
|
||||
````
|
||||
```
|
||||
X509v3 Name Constraints:
|
||||
Permitted:
|
||||
DNS:.dn42
|
||||
````
|
||||
```
|
||||
|
||||
## Importing the certificate
|
||||
|
||||
@ -123,19 +123,19 @@ Install `ca-certificates-dn42` from [AUR](https://aur.archlinux.org/packages/ca-
|
||||
|
||||
#### Unofficial Debian Package
|
||||
|
||||
````bash
|
||||
```bash
|
||||
wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb
|
||||
# If you're on a dn42-only network:
|
||||
# wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb
|
||||
sudo dpkg -i ca-dn42_20161122.0_all.deb
|
||||
sudo dpkg-reconfigure ca-certificates
|
||||
````
|
||||
```
|
||||
|
||||
You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enable, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)).
|
||||
|
||||
#### Manual Installation
|
||||
|
||||
````bash
|
||||
```bash
|
||||
$ mkdir /usr/share/ca-certificates/extra
|
||||
$ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF
|
||||
-----BEGIN CERTIFICATE-----
|
||||
@ -164,7 +164,7 @@ C0IKqQ==
|
||||
-----END CERTIFICATE-----
|
||||
EOF
|
||||
$ update-ca-certificates
|
||||
````
|
||||
```
|
||||
|
||||
## PKI Store
|
||||
|
||||
|
@ -24,17 +24,17 @@ service and configure the other service as the secondary or backup nameserver.
|
||||
|
||||
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
|
||||
|
||||
````text
|
||||
```text
|
||||
nameserver 172.20.0.53
|
||||
nameserver 172.23.0.53
|
||||
nameserver fd42:d42:d42:54::1
|
||||
nameserver fd42:d42:d42:53::1
|
||||
search dn42
|
||||
````
|
||||
```
|
||||
|
||||
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
|
||||
|
||||
````text
|
||||
```text
|
||||
nameserver fd42:d42:d42:53::1
|
||||
nameserver fd42:d42:d42:54::1
|
||||
nameserver 172.23.0.53
|
||||
@ -42,7 +42,7 @@ nameserver 172.20.0.53
|
||||
option inet6 # Linux/glibc
|
||||
family inet6 inet4 # BSD
|
||||
search dn42
|
||||
````
|
||||
```
|
||||
|
||||
## Advanced Configuration
|
||||
|
||||
|
@ -39,7 +39,7 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
|
||||
|
||||
+ **wiki-sync.sh**:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
WIKI_PATH=<repo path>
|
||||
@ -50,7 +50,7 @@ ${GIT} push
|
||||
${GIT} pull
|
||||
|
||||
exit 0
|
||||
````
|
||||
```
|
||||
|
||||
+ **Cron entry**:
|
||||
|
||||
@ -64,13 +64,13 @@ exit 0
|
||||
- Start two gollum instances, read-only and read/write on `127.0.0.1`:
|
||||
|
||||
Read/write (SSL only):
|
||||
````
|
||||
```
|
||||
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>
|
||||
````
|
||||
```
|
||||
Read-only:
|
||||
````
|
||||
```
|
||||
RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
|
||||
````
|
||||
```
|
||||
|
||||
Set `<path>` to the location where wiki Git repo was cloned.
|
||||
|
||||
@ -82,13 +82,13 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
|
||||
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
|
||||
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
|
||||
|
||||
````
|
||||
```
|
||||
./ca.dn42 tls-gen \
|
||||
<AS>-<CC>(-<UID>).wiki.dn42 \
|
||||
EXAMPLE-MNT \
|
||||
mail@example.com \
|
||||
DNS:<AS>-<CC>(-<ID>).wiki.dn42,DNS:wiki.dn42,DNS:www.wiki.dn42,DNS:internal.dn42,DNS:www.internal.dn42
|
||||
````
|
||||
```
|
||||
|
||||
Wait for a reply and then sign the certificate:
|
||||
|
||||
@ -107,15 +107,15 @@ A custom header `X-SiteID` identifies the site you're connecting to:
|
||||
|
||||
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
|
||||
|
||||
````
|
||||
```
|
||||
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
|
||||
````
|
||||
```
|
||||
|
||||
- Configure Nginx to send the fingerprint in header (SSL block):
|
||||
|
||||
````
|
||||
```
|
||||
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
|
||||
````
|
||||
```
|
||||
|
||||
+ `<primary>` - the fingerprint extracted from `wiki.key`
|
||||
+ `<backup>` - the CA fingerprint: `of00RDinhPeVRNnXm1jXQDagktOL75qQo1pT+xc7VIE=`
|
||||
@ -135,7 +135,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
|
||||
|
||||
#### Config example
|
||||
|
||||
````
|
||||
```
|
||||
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||
ssl_session_cache shared:SSL:2m;
|
||||
|
||||
@ -184,7 +184,7 @@ server {
|
||||
}
|
||||
}
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
## ExaBGP
|
||||
|
||||
@ -194,7 +194,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
|
||||
|
||||
#### Configuration
|
||||
|
||||
````
|
||||
```
|
||||
# exabgp.conf
|
||||
|
||||
group gollum-watchdog {
|
||||
@ -228,7 +228,7 @@ group gollum-watchdog {
|
||||
}
|
||||
}
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
#### Watchdog script
|
||||
|
||||
@ -236,7 +236,7 @@ Watchdog runs in an infinite loop, sending the appropriate commands to stdout. [
|
||||
|
||||
Run `gollum-watchdog.sh` in a shell first to validate it's working:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
CURL=curl
|
||||
@ -297,7 +297,7 @@ while [ 1 ]; do
|
||||
done
|
||||
|
||||
exit 0
|
||||
````
|
||||
```
|
||||
|
||||
#### Run
|
||||
|
||||
@ -305,7 +305,7 @@ exit 0
|
||||
|
||||
`USAGE: /etc/exabgp/run.sh [start|stop|restart]`
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
PID_FILE=/var/run/exaBGP/exabgp_PID
|
||||
@ -352,7 +352,7 @@ case ${1} in
|
||||
esac
|
||||
|
||||
exit 0
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
|
||||
|
||||
Example bird2 config:
|
||||
|
||||
````text
|
||||
```text
|
||||
protocol bgp ROUTE_COLLECTOR
|
||||
{
|
||||
local as ***YOUR_ASN***;
|
||||
@ -66,7 +66,7 @@ protocol bgp ROUTE_COLLECTOR
|
||||
};
|
||||
};
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
|
||||
## Querying the collector
|
||||
@ -106,7 +106,7 @@ The collector bird instance can be queried directly using a birdc shell.
|
||||
|
||||
- ssh shell@collector.dn42
|
||||
|
||||
````sh
|
||||
```sh
|
||||
$ ssh shell@collector.dn42
|
||||
------------------------------------
|
||||
* DN42 Global Route Collector *
|
||||
@ -129,5 +129,5 @@ bird> 297441 of 297441 routes for 502 networks in table master4
|
||||
Total: 586116 of 586116 routes for 3597 networks in 4 tables
|
||||
bird>
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
|
@ -11,18 +11,18 @@ Channel statistics for #dn42@hackint are available at: https://dev.0l.dn42/stats
|
||||
|
||||
#### collectd.conf
|
||||
|
||||
````
|
||||
```
|
||||
LoadPlugin exec
|
||||
<Plugin exec>
|
||||
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
|
||||
</Plugin>
|
||||
````
|
||||
```
|
||||
|
||||
collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.
|
||||
|
||||
#### bgp_prefixes-quagga.sh
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
INTERVAL=10
|
||||
@ -37,11 +37,11 @@ echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"
|
||||
|
||||
sleep $INTERVAL
|
||||
done
|
||||
````
|
||||
```
|
||||
|
||||
#### Number of prefixes per neighbour for bird
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/sh
|
||||
#
|
||||
# Collectd script for collecting the number of routes going through each
|
||||
@ -65,19 +65,19 @@ do
|
||||
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"
|
||||
sleep $INTERVAL
|
||||
done
|
||||
````
|
||||
```
|
||||
|
||||
### munin plugin
|
||||
* add the following to /etc/munin/plugin-conf.d/munin-node
|
||||
|
||||
````
|
||||
```
|
||||
[quagga_bgp]
|
||||
user root
|
||||
````
|
||||
```
|
||||
|
||||
* place the script as quagga_bgp in /etc/munin/plugins
|
||||
|
||||
````sh
|
||||
```sh
|
||||
#!/bin/sh
|
||||
#
|
||||
#
|
||||
@ -111,5 +111,5 @@ user root
|
||||
echo bgproutes.value $data
|
||||
fi
|
||||
# Measure Section ##########
|
||||
````
|
||||
```
|
||||
* restart munin-node
|
@ -19,10 +19,10 @@ To run a node you have to install tahoe-lafs at least in version 1.10.2. You can
|
||||
|
||||
Before the first start you have to create a node with `bin/tahoe create-node` or a client (doesn't provide storage) with `bin/tahoe create-client`. This will create the folder .tahoe in your home dir. In the file .tahoe/tahoe.cfg you have to enter on `introducer.furl` the link to our introducer node (UPDATED):
|
||||
|
||||
````
|
||||
```
|
||||
introducer.furl = pb://shvdnad4bqey27ff7ngtschexamvdmmr@tahoe-lafs.e-utp.dn42:44412/kmvmrcforeeet7isgq7ftuymywqp3obb
|
||||
helper.furl = pb://ru7miwm74bfkd6ytchfoq4wgvo3vikq3@fido.e-utp.dn42:44412/iiiopiclr2gszw2fmckbx3eob6krxk7x
|
||||
````
|
||||
```
|
||||
|
||||
With `bin/tahoe start` you start your local node.
|
||||
|
||||
|
@ -102,13 +102,13 @@ We have anycast IPv4 and IPv6, both reachable under whois.dn42. IPs are 172.22.0
|
||||
| weiti | whois.weiti.dn42 | 172.20.175.253 / fdf7:17d5:de49::43 |
|
||||
|
||||
## Usage
|
||||
````sh
|
||||
```sh
|
||||
whois -h $host $query
|
||||
````
|
||||
```
|
||||
|
||||
## Using a whois config
|
||||
|
||||
````sh
|
||||
```sh
|
||||
$ cat /etc/whois.conf
|
||||
\.dn42$ whois.dn42
|
||||
\-DN42$ whois.dn42
|
||||
@ -124,18 +124,18 @@ $ cat /etc/whois.conf
|
||||
# dn42 ula ipv6 address space
|
||||
^fd**:****:****:****:****:****:****:**** whois.dn42
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.
|
||||
|
||||
## Running your own whoisd
|
||||
````sh
|
||||
```sh
|
||||
cd /home/some/path/to/store/branch
|
||||
sudo aptitude install ruby rubygems
|
||||
sudo gem install netaddr
|
||||
cd whoisd/ruby
|
||||
sudo ruby whoisd.rb nobody
|
||||
````
|
||||
```
|
||||
## Whois restful API
|
||||
Note: this service is in beta testing, use at your own risk.
|
||||
https://whois.rest.dn42/
|
||||
|
@ -4,9 +4,9 @@ Configuration of common resolver softwares to forward DNS queries for `.dn42` (a
|
||||
|
||||
You can use any *.recursive-servers.dn42 (where * is a letter) for resolving .dn42 domains. The current list is available at the [DN42 registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42) or through querying SRV records of recursive-servers.dn42:
|
||||
|
||||
````sh
|
||||
```sh
|
||||
drill -D SRV _dns._udp.recursive-servers.dn42. @172.20.0.53
|
||||
````
|
||||
```
|
||||
|
||||
Two independent anycast services are also provided:
|
||||
|
||||
@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
|
||||
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
|
||||
by adding the following to /etc/bind/named.conf.local
|
||||
|
||||
````
|
||||
```
|
||||
zone "dn42" {
|
||||
type forward;
|
||||
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
|
||||
@ -66,12 +66,12 @@ options {
|
||||
|
||||
# [...]
|
||||
};
|
||||
````
|
||||
```
|
||||
|
||||
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
|
||||
|
||||
To disable DNSSEC validation only for certain TLDs include the following in the options section:
|
||||
````
|
||||
```
|
||||
options {
|
||||
# [...]
|
||||
|
||||
@ -87,13 +87,13 @@ options {
|
||||
|
||||
# [...]
|
||||
};
|
||||
````
|
||||
```
|
||||
|
||||
## dnsmasq
|
||||
|
||||
If you are running dnsmasq under openwrt, you just have to add
|
||||
|
||||
````
|
||||
```
|
||||
config dnsmasq
|
||||
option boguspriv '0'
|
||||
option rebind_protection '1'
|
||||
@ -106,7 +106,7 @@ config dnsmasq
|
||||
list server '/10.in-addr.arpa/172.20.0.53'
|
||||
list server '/d.f.ip6.arpa/fd42:d42:d42:54::1'
|
||||
|
||||
````
|
||||
```
|
||||
|
||||
to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
|
||||
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.
|
||||
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
|
||||
|
||||
For normal dnsmasq use
|
||||
|
||||
````
|
||||
```
|
||||
server=/dn42/172.20.0.53
|
||||
server=/20.172.in-addr.arpa/172.20.0.53
|
||||
server=/21.172.in-addr.arpa/172.20.0.53
|
||||
@ -123,21 +123,21 @@ server=/22.172.in-addr.arpa/172.20.0.53
|
||||
server=/23.172.in-addr.arpa/172.20.0.53
|
||||
server=/10.in-addr.arpa/172.20.0.53
|
||||
server=/d.f.ip6.arpa/fd42:d42:d42:54::1
|
||||
````
|
||||
```
|
||||
in `dnsmasq.conf`.
|
||||
|
||||
## PowerDNS recursor
|
||||
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_.
|
||||
|
||||
````
|
||||
```
|
||||
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
|
||||
forward-zones-recurse=dn42=172.20.0.53,hack=172.20.0.53,ffhh=172.20.0.53,ffac=172.20.0.53,020=172.20.0.53,adm=172.20.0.53,ffa=172.20.0.53,ffhb=172.20.0.53,ffc=172.20.0.53,ffda=172.20.0.53,ffdh=172.20.0.53,ff3l=172.20.0.53,fffl=172.20.0.53,ffffm=172.20.0.53,fffr=172.20.0.53,fffd=172.20.0.53,ffgl=172.20.0.53,fflln=172.20.0.53,ffbcd=172.20.0.53,ffbgl=172.20.0.53,ffgoe=172.20.0.53,ffgt=172.20.0.53,ffh=172.20.0.53,helgo=172.20.0.53,ffhef=172.20.0.53,ffj=172.20.0.53,ffka=172.20.0.53,ffki=172.20.0.53,ffhl=172.20.0.53,fflux=172.20.0.53,ffms=172.20.0.53,mueritz=172.20.0.53,ffnord=172.20.0.53,ffnw=172.20.0.53,ffoh=172.20.0.53,ffpb=172.20.0.53,ffpi=172.20.0.53,ffrade=172.20.0.53,ffrgb=172.20.0.53,ffrg=172.20.0.53,rzl=172.20.0.53,ffsaar=172.20.0.53,fftr=172.20.0.53,fftdf=172.20.0.53,ffwk=172.20.0.53,ffgro=172.20.0.53,ffwk=172.20.0.53,ffwp=172.20.0.53,ffw=172.20.0.53,20.172.in-addr.arpa=172.20.0.53,21.172.in-addr.arpa=172.20.0.53,22.172.in-addr.arpa=172.20.0.53,23.172.in-addr.arpa=172.20.0.53,31.172.in-addr.arpa=172.20.0.53,10.in-addr.arpa=172.20.0.53,c.f.ip6.arpa=172.20.0.53
|
||||
````
|
||||
```
|
||||
|
||||
## MaraDNS
|
||||
Put this in your mararc:
|
||||
|
||||
````
|
||||
```
|
||||
ipv4_alias["dn42_root"] = "172.20.0.53"
|
||||
root_servers["dn42."] = "dn42_root"
|
||||
root_servers["20.172.in-addr.arpa."] = "dn42_root"
|
||||
@ -145,14 +145,14 @@ root_servers["21.172.in-addr.arpa."] = "dn42_root"
|
||||
root_servers["22.172.in-addr.arpa."] = "dn42_root"
|
||||
root_servers["23.172.in-addr.arpa."] = "dn42_root"
|
||||
root_servers["10.in-addr.arpa."] = "dn42_root"
|
||||
````
|
||||
```
|
||||
|
||||
## Unbound
|
||||
|
||||
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
|
||||
point to a file with DNSKEY records for dn42.
|
||||
|
||||
````
|
||||
```
|
||||
server:
|
||||
local-zone: "20.172.in-addr.arpa." nodefault
|
||||
local-zone: "21.172.in-addr.arpa." nodefault
|
||||
@ -195,15 +195,15 @@ forward-zone:
|
||||
name: "d.f.ip6.arpa"
|
||||
forward-addr: fd42:d42:d42:54::1
|
||||
forward-addr: 172.20.0.53
|
||||
````
|
||||
```
|
||||
|
||||
## JunOS (SRX 12.1X46)
|
||||
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
|
||||
````
|
||||
```
|
||||
restart named-service
|
||||
````
|
||||
```
|
||||
Config (vlan.0 is presumed to be your LAN/Trust interface)
|
||||
````
|
||||
```
|
||||
system {
|
||||
services {
|
||||
dns {
|
||||
@ -251,7 +251,7 @@ system {
|
||||
}
|
||||
}
|
||||
}
|
||||
````
|
||||
```
|
||||
|
||||
## MS DNS
|
||||
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "21.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa", "10.in-addr.arpa" using 172.20.0.53 as forwarder. Ignore the error message that the server is not authoritative.
|
@ -8,7 +8,7 @@ Configuration requirements for all members of the anycast group are:
|
||||
* maintain your own zones based on whois database (scripts included in monotone repository)
|
||||
* allow recursion (including `.`)
|
||||
* listen on a unicast IP too for testing/debugging reasons
|
||||
* with bind, please use ````minimal-responses yes;```` (goes into ````options````/````view````)
|
||||
* with bind, please use ```minimal-responses yes;``` (goes into ```options```/```view```)
|
||||
|
||||
It is _really_ good to hang around in [IRC](/IRC) to get things sorted out, if something doesn't work. Letting some people test your DNS behavior before joining the anycast-group is considered best practice - better safe than sorry.
|
||||
|
||||
|
@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/Providing-Any
|
||||
|
||||
Configuration for `unbound.conf`
|
||||
|
||||
````
|
||||
```
|
||||
server:
|
||||
local-zone: "22.172.in-addr.arpa." nodefault
|
||||
local-zone: "23.172.in-addr.arpa." nodefault
|
||||
@ -30,12 +30,12 @@ stub-zone:
|
||||
stub-prime: yes
|
||||
stub-addr: 172.22.119.160
|
||||
stub-addr: 172.22.119.163
|
||||
````
|
||||
```
|
||||
|
||||
### Unbound with root-hints
|
||||
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
|
||||
|
||||
````
|
||||
```
|
||||
# /etc/unbound/unbound.conf.d/dn42.conf
|
||||
server:
|
||||
# DNSSEC validation will fail
|
||||
@ -52,10 +52,10 @@ server:
|
||||
|
||||
remote-control:
|
||||
control-enable: no
|
||||
````
|
||||
```
|
||||
|
||||
The `/etc/unbound/dn42.hints` file:
|
||||
````
|
||||
```
|
||||
. NS a.root-servers.dn42.
|
||||
a.root-servers.dn42. 3600000 A 172.22.177.6
|
||||
. NS m.root-servers.dn42.
|
||||
@ -64,4 +64,4 @@ m.root-servers.dn42. 3600000 A 172.23.67.67
|
||||
t.root-servers.dn42. 3600000 A 172.22.102.141
|
||||
. NS x.root-servers.dn42.
|
||||
x.root-servers.dn42. 3600000 A 172.22.141.1
|
||||
````
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user